Student Privacy Notice

STUDENT DATA PROTECTION PRIVACY NOTICE

The University of Limerick (the University) must process the personal data of its students (you) in order to carry out its functions and manage its operations. The processing of this data is carried out in accordance with the General Data Protection Regulation (GDPR) / Data Protection Acts 1988-2018 and with the University's Data Protection Policy. The University is the Data Controller for personal data we process about you.

The purpose of this Data Protection Privacy Notice is to explain how the University uses personal data we collect and hold about prospective, current and graduated students of the University. This notice should be read in conjunction with the University’s Data Protection Policy and Compliance Regulations (available at www.ul.ie/dataprotection).

This notice extends to all your personal data as defined under Article 2(1) of the General Data Protection Regulation (EU) 2016/679.

The full, printable version of the University's Student Privacy Notice can be viewed here.

1.1 The University must process your personal data in order to provide educational services through its teaching, research and associated academic and administrative activities, for example, recruitment of students, provision of programmes of study, examinations, engaging with accrediting bodies and Government agencies such as the Higher Education Authority and Department of Education & Skills.

1.2 As part of its administrative activities and in order to ensure a safe and secure campus for you and your fellow students, the University processes personal information through the use of CCTV to monitor and collect images for the purposes of security, the prevention and detection of crime and, where necessary, to assist with serious disciplinary matters.

1.3 Other circumstances in which the University processes your personal data include the sharing of only the required level of data with the UL Students’ Union/Postgraduate Students’ Union and the UL Alumni Association in order to facilitate your membership of these bodies.

1.4 In addition, the University will process your personal data in order to promote University programmes of study; extracurricular services; circulation of UL Links Magazine; the undertaking of research, fundraising etc. and in these circumstances your explicit consent will be sought to enable such processing.

2.1 Student data is mainly obtained from the details you provide through the CAO (Central Applications Office), PAC (Postgraduate Applications Centre), or directly through the application/enrolment/registration process. Student academic performance data will be collected during the course of your studies and held by the University on its records systems. Additional data is collected/recorded by a number of services/offices within the University to meet specific needs (e.g. Faculty/Department, Student Affairs Division, Library, Fees Office, Student Health Centre, Student Counselling Service etc).

2.2 The University provides this Privacy Notice, which in broad terms explains how and why we typically process and share your personal data.

3.1 Data Protection law requires that the University must have a valid lawful basis in order to process personal data. The University relies on a number of such bases as follows:

3.1.1 The provision of a contract - much of the personal information the University processes is necessary to meet its commitments to you, for example, processing your data in relation to teaching, assessment and associated administration. The following sets out the main purposes of which we process your personal data in the provision of a contract:

Recruitment and admission of students;

Provision of teaching and associated academic services including examinations, progression and related administration;

Graduation – type and status of graduate awards are publicly acknowledged at University of Limerick conferring ceremonies and are published in the University's conferring booklet; Graduation ceremonies are regarded as public events and may be recorded and/or live streamed by the University.

Delivering plagiarism checking and academic validation services;

Providing services necessary for the student experience (Including Library, IT and communication services);

Providing support and maintenance services (including IT);

Safeguarding and promoting welfare of students;

Dealing with grievances and disciplinary actions;

Dealing with complaints and enquiries;

Providing careers and placement advice and services;

Providing/offering facilities and services to you during your time as a student and thereafter as part of the University’s business (e.g. library access, computing, UL Students’ Unions, Alumni membership and activities);

Service improvement via feedback and surveys;

Internal reporting and record keeping;

Responding to data access requests you make;

Inclusion in the University’s Outlook directory, website;

Providing student support services including:

Disability and learning support services; - Careers and employment advice and services;

Health and wellbeing services;

University SMS text messaging system: as a registered student, you will be automatically added to the list to receive texts regarding University-related information, for example, cancellation/ rescheduling of lectures, exam reminders etc. If you are not interested in receiving text alerts from us, you can opt out of this service in the Student Portal by changing your preferences in your Personal Details page. Regardless of the foregoing, the University will send you an SMS text message in the event of an emergency, where possible.

University email distribution lists: as a registered student you will automatically be added to a number of email distribution lists to enable the University to manage its operations and provide the full range of services to you. An opt-out option is not permitted for these operations and core services.

3.1.2 The fulfilment a legal obligation – the University must process your personal data when required to do so under Irish/EU law, for instance:

sharing information with statutory bodies like the Higher Education Authority;

Monitoring equal opportunities;

Providing safety and operational information;

Performing audits;

Preventing and detecting crime;

Administration of insurance and legal claims;

Garda vetting;

Creation of reports and statistics which the University is required to return to Government Depts. etc;

3.1.3 To protect the vital interest of you or another person - under extreme circumstances the University would share your personal data with third parties to protect your interests or those of another person, for example,

.3.1.5 Consent - under certain circumstances, the University will only process your personal data with your explicit consent. Explicit consent requires you to make a positive, affirmative action and be fully informed about the matter to which you are consenting, for example:

Providing information on UL courses and other programmes of study that may be of interest and benefit to students, applicants and other interested parties;

Promoting the University’s services (e.g. summer schools, student exchanges, or other events happening on and off campus);

Marketing, including images, online, in print and on social media; publications, invitations and other communications (eg UL Links etc); e-news and flash emails; the promotion of University events;

References: Academic staff may agree to provide a reference for you if you apply for a job or further study. You should ensure that the requesting organisation is in a position to provide the academic staff member with a copy of your signed consent to the issuing of your reference to them;

4.1 Your personal data may be shared between members of staff within the University in order for the University to fulfil its functions and objects.

4.2 In addition to the foregoing principle, the University will employ reasonable and appropriate administrative, technical, personnel, procedural and physical measures to safeguard your information against loss, theft and unauthorised users’ access, uses or modifications.

4.3 The following principles apply:

Confidentiality - only people who are authorised to use the data will be authorised to access it.

Staff are required to maintain the confidentiality of any of your data to which they have access.

Integrity – the University will make all reasonable efforts to ensure that your personal data is maintained accurately and remains suitable for the purpose for which it is processed.

Availability - that authorised users should be able to access the data if they need it for authorised purposes.

5.1 The University may disclose certain personal data to third parties. These external organisations, and the purpose for sharing the information, are set out below (This list will be updated periodically as required). The University will only share your personal data with external third parties where we are required to do so under a statutory or legal obligation, or we are required to do so under a contractual obligation or we have your consent, or we are otherwise permitted to do so in accordance with data protection legislation. The disclosure of your data to third parties includes:

Affiliated Organisations, Organisations established as a separate legal entity whose primary purpose is to support the University in developing and enhancing student engagement and overall student experience. Examples include the Students’ Union and the Postgraduate Students’ Union. As a student of the University, you will be entitled to avail of relevant services provided by these organisations. Your UL email address will be shared with the relevant Students’ Union. These organisations have access to UL Student email distribution lists (not individual student email addresses). This sharing is governed by a Data Sharing Agreement between the organisation and the University;

Garda Siochana - prevention/detection of crime, apprehension and prosecution of offenders, protection of an individual’s vital interests/welfare or safeguarding national security.

Garda Vetting Bureau - details of students who have applied for courses that require Garda vetting.

Insurance companies for the purpose of providing insurance cover or in the event of an insurance related claim.

Academic Institutions / partner Higher Education Institutions If you are involved in study arrangements with other organisations, e.g. exchanges, placements, the University may disclose some of your personal data to the relevant provider including those outside of the European Economic Area (EEA).

Software Service Provider Microsoft 365 - to provide a student email service for the University.

Accreditation/Professional bodies The University is obliged to share your personal data with professional bodies to confirm your qualifications and accreditation of your course (e.g. Medical Council, Nursing & Midwifery Board of Ireland etc).

Employers, voluntary and charitable organisations. To facilitate co-operative and volunteering placements of students.

Financial sponsors If a student’s tuition fees are paid under a sponsorship, scholarship or loan arrangement by an external organisation (e.g. your employer), the University may share personal data relating to your attendance and academic progress.

Prospective employers for confirmation of qualification and provision of references – with your consent.

External Software As A Service (SAAS) providers. The University has entered into commercial agreements with external software service providers to support and enhance teaching, learning and assessment and research mission of the University. These services include Learning Management Systems, online discussion forums, lecture and tutorial recording, research publications, authenticity checking, and feedback and assessment.

Press and the media (with your consent we may share information about you for publicity and marketing purposes online, in print and on social media.

Fulfilment (posting of letters) Companies - Data released to printers for the purpose of facilitating mailshots on behalf of the University.

Data may be shared with reputable “data processors” for the purposes of sending communications (eg mailchimp).

5.2 Parents, guardians and other relatives The University will not disclose your personal data to parents or relatives without your consent, other than in exceptional circumstances.

6.1 In some instances your personal data will be shared with third parties outside of the European Economic Area (EEA) for example North America and Australia. When required, the University will transfer your personal data outside of the EEA when one of the following conditions have been met:

The Data Protection Commission permits the transfer to the non-EEA country or organisation.

There are adequate safeguards in place and your rights and legal remedies as a data subject are available to you.).

The Country is listed by the European Commission as safe.

You have given us explicit consent for the transfer.

The transfer is necessary for the performance of conclusion of a contract with you or in your interest.

The transfer is necessary for important reasons of public interest.

The transfer if necessary for the establishment, exercise or defense of legal claims.

The transfer is necessary to protect your vital interest or other persons where you are unable to give your consent.

The transfer is made from a register which according to the EU or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU and Member State Law for consultation are fulfilled in the particular case.

7.1 The University retains all personal data in accordance with its Records Management and Retention Policy. The University will need to maintain some records relating to you after you graduate in order to provide services to you as a graduate of the University. This includes: verifying your award, providing transcripts of your marks, opportunities for further study, academic references, careers support, alumni and networking services

7.2 Alumni: When you graduate/complete your course, you will automatically be included as a member of the University’s Alumni Association, UL Alumni. You will receive emails from Alumni about the benefits of staying in touch. The UL Alumni webpage provides further information as to how your personal data will be used and how you can opt out from communications.

7.3 Data that is not required to fulfil the services the University will provide to you after you graduate will be securely deleted in accordance with the University’s Records Management & Retention Policy.

with regard to rights within the legislation relating to “automated decision-making”, the University does not use such processes and they do not arise.

to restrict the use of the data we hold and the right to object to the University using your data - please contact the Information Management team if you believe your personal data is being used unlawfully or you have reason particular to your personal situation why we should not be processing it.

8.2 Requests for any of the above should be addressed by email to dataprotection@ul.ie or in writing setting out your specific request to the University’s Data Protection Officer, Office of the Corporate Secretary, University of Limerick, Limerick. Your request will be processed within 30 days of receipt. Please note, however, it may not be possible to facilitate all requests, for example, where the University is required by law to collect and process certain personal data including that personal information that is required of any student of the University.

8.3 Additionally, you can update your personal data on the SI system or alternatively by contacting the Student Academic Administration Office at saa@ul.ie.

9.1 Updating your details: The GDPR requires that personal data is accurate. Please let the University know if your contact details change. If we do not have the correct contact details, we cannot take responsibility if we are unable to provide you with any information you require, for example, missing an exam or deadline resulting in serious consequences.

9.2 Processing Personal Data: You must comply with the University’s Data Protection Policy and the GDPR if, as a student, you have access to the personal data of others; or if you wish to collect or process any personal data as part of your studies or research. You must ensure that you notify and seek approval from your supervisor and the relevant University Research Ethics Committee if required, before any processing occurs. If you are processing personal data other than as part of your studies, you should contact the Office of the Data Protection Commissioner (Supervisory Authority) as you will not be covered under the University’s registration. You can contact that Office at info@dataprotection.ie or by writing to the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois.

10.1 Further information on Data Protection at the University of Limerick may be viewed at www.ul.ie/dataprotection. You can contact the University’s Data Protection Officer at dataprotection@ul.ie or by writing to Data Protection Officer, Room A1-073, University of Limerick, Limerick.

10.2 You have a right to lodge a complaint with the Office of the Data Protection Commissioner (Supervisory Authority). While we recommend that you raise any concerns or queries with us first, you may contact that Office at info@dataprotection.ie or by writing to the Data Protection Commissioner, Canal House, Station Road, Portarlington, Co. Laois.